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We introduce a notion of real-valued reward testing for probabilistic processes by extending the tra- 
ditional nonnegative-reward testing with negative rewards. In this richer testing framework, the may 
and must preorders turn out to be inverses. We show that for convergent processes with finitely many 
states and transitions, but not in the presence of divergence, the real-reward must-testing preorder 
coincides with the nonnegative-reward must-testing preorder. To prove this coincidence we charac- 
terise the usual resolution-based testing in terms of the weak transitions of processes, without having 
to involve policies, adversaries, schedulers, resolutions, or similar structures that are external to the 
process under investigation. This requires establishing the continuity of our function for calculating 
testing outcomes. 

1 Introduction 

Extending classical testing semantics ||Tl|7l to a setting in which probability and nondeterminism co-exist 
was initiated in |[T3l . The application of a test to a process yields a set of probabilities for reaching a 
success state. Reward testing was introduced in [8J ; here the success states are labelled by nonnegative 
real numbers — rewards — to indicate degrees of success, and reaching a success state accumulates the 
associated reward. In |12| an infinite set of success actions is used to report success, and the testing 
outcomes are vectors of probabilities of performing these success actions. Compared to HI this amounts 
to distinguishing different qualities of success, rather than different quantities. 

In [13] and [12], both tests and testees are nondeterministic probabilistic processes, whereas (H 
allows nonprobabilistic tests only, thereby obtaining a less discriminating form of testing. In lH we 
strengthened reward testing by also allowing probabilistic tests. Taking rewards testing in this form we 
showed that for finitary processes, i.e. finite-state and finitely branching processes, all three modes of 
testing lead to the same testing preorders. Thus, vector-based testing is no more powerful than scalar 
testing that employs only one success action, and likewise reward testing is no more powerful than the 
special case of reward testing in which all rewards are 1 . LU 
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'in spite of this there is a difference in power between the notions of testing from 1131 and 1121 . but this is an issue that is 
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Figure 1 : Two processes with divergence and a test 

In certain situations it is natural to introduce negative rewards. This is the case, for instance, in the 
theory of Markov Decision Processes |9|. Intuitively, we could understand negative rewards as costs, 
while positive rewards are often viewed as benefits or profits. This leads to the question: if negative 
rewards are also allowed, how would the original reward-testing semantics change? We refer to the 
more relaxed form of testing, using positive and negative rewards, as real-reward testing and the original 
one (from lH, but with probabilistic tests as in 161) as nonnegative-reward testing. 

The power of real-reward testing is illustrated in Figure[T] The two (nonprobabilistic) processes in the 
left- and central diagrams are equivalent under (probabilistic) may- as well as must testing; the T-loops in 
the initial states cause both processes to fail any nontrivial must test. Yet, if a reward of — 1 is associated 
with performing the action a, and a reward of 2 with the subsequent performance of b (implemented by 
the test in the right diagram; see Example 13.81 for more details), in the first process the net reward is 
either (if the process remains stuck in its initial state) or positive, whereas running the second process 
may yield a loss. This example shows that for processes that may exhibit divergence, real-reward testing 
is more discriminating than nonnegative-reward testing, or other forms of probabilistic testing. It also 
illustrates that the extra power may be relevant in applications. 

As remarked, in [6] we established that for finitary processes the nonnegative-reward must-testing 
preorder (Enrmust) coincides with the probabilistic must-testing preorder (Epmust)> and likewise for the 
may preorders. Here we show that, in contrast to the situation for nonnegative-reward (or scalar) testing, 
for real-reward testing the may- and must preorders are the inverse of each other, i.e. for any processes 
A and F, 

A Errmay F iff F E^^^ygj A. (1) 

Our main result is that restricted to finitary convergent processes, the real-reward must preorder coincides 
with the nonnegative-reward must preorder, i.e. for any finitary convergent processes A, F, 



AC, 



iff 



^ —nrmust ^ • 



(2) 



Here by convergence we mean that there is no infinite sequence of internal transitions of the form Aq — ^ 
Ai — ^ • • • with distribution Aq (and thus its successors) reachable from either A or F. This rules out 
the processes of Figure [T] Although it is easy to see that in ^ the former implies the latter, to prove 
the opposite is far from trivial. We employ a novel characterisation of the usual resolution-based testing 
approach, without introducing concepts like, policy Q, adversary lITOll . scheduler [11 J or resolution 161 
that are external to the process under investigation; instead we describe the mechanism for gathering test 
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TTze symbol — between two relations means that they coincide for finitary convergent processes. 
Figure 2: The relationship of different testing preorders. 

results in terms of the weak x-moves or derivations Q the investigated process can make, and hence 
speak of derivation-based testing. 

This allows us to exploit the failure simulation preorder C/rj that in f3l was proven to coincide with 
the probabilistic must testing preorder Epmust based on resolutions, at least for finitary processes. Using 
the derivational characterisation we can show that, for finitary convergent processes, C^-^ is contained in 
Errmust- Convergence is essential here, even though it is not needed to establish that Qfs is contained in 
Enrmust- Combining this with the results from |6| and |3| mentioned above leads to our required result 
that Enrmust is included in Errmust. as far as finitary convergent processes are concerned. Consequently, 
in this case, all the relations of Figure |2] collapse into one. 

The rest of this paper is organised as follows. We start by recalling notation for probabilistic labelled 
transition systems. In Section |3] we review the resolution-based testing approach and show that the real- 
reward may preorder is simply the inverse of the real-reward must preorder. Moreover, using the example 
of Figure [H we show that in the presence of divergence the inclusion of Enrmust in Errmust is proper. In 
Section|4]we present the derivation-based testing approach and also show that the two approaches agree. 
Then in Section[5]we show for finitary convergent processes that real-reward must testing coincides with 
nonnegative-reward must testing. We conclude in Section |6] 

Due to lack of space, we omit all proofs: they are reported in lH. Besides the related work already 
mentioned above, many other studies on probabilistic testing and simulation semantics have appeared in 
the literature. They are reviewed in iSjilJ. 

2 Probabilistic Processes 

A (discrete) probability subdistribution over a set 5 is a function A : 5 — )• [0, 1] with L.se5A(i') < 1; the 
support of such a A is [A] := {^G^ | A(i') > 0}, and its mass |A| is LjgrA] ^{^)- ^ subdistribution is a 
(total, or full) distribution if |A| = 1. The point distribution 1 assigns probability 1 to 5 and to all other 
elements of S, so that \'s\ = {s}. With &siib{S) we denote the set of subdistributions over S, and with 
&{S) its subset of full distributions. 

Let {A,t I A: G /T} be a set of subdistributions, possibly infinite. Then Y^keK^k is the real- valued func- 
tion in 5 ^> R defined by (X.keK^k){s) '■= Y.keK^k{s)- This is a partial operation on subdistributions 
because for some state s the sum of ^k{s) might exceed 1. If the index set is finite, say {l..n}, we often 
write Ai + . . . + A„. For p a real number from [0, 1] we use /?• A to denote the subdistribution given by 
(/7-A)(s) := /7-A(s). Finally we use e to denote the everywhere-zero subdistribution that thus has empty 
support. These operations on subdistributions do not readily adapt themselves to distributions; yet if 
HkeKPk = 1 for some p^ > 0, and the Ayt are distributions, then so is Y^keKPk'^k- 

The expected value Y.ses^{^)'f{^) o^^J" a subdistribution A of a bounded nonnegative function / 
to the reals or tuples of them is written Exp^(/), and the image of a subdistribution A through a func- 
tion / : 5 — ;■ r, for some set T , is written Imgj(A) — the latter is the subdistribution over T given by 
Imgy(A)(f) := L/(,)=, A(5) for each t G T. 



64 Real-Reward Testing for Probabilistic Processes 

Definition 2.1 A probabilistic labelled transition system (pLTS) is a triple (5, Act,— )■), where 
(i) 5 is a set of states, 
(ii) Act is a set of visible actions, 
(iii) relation ^- is a subset of 5 x Act^ x !^{S). 
Here Act^ denotes Act U {t}, where T ^ Act is the invisible- or internal action. 

A (nonprobabilistic) labelled transition system (LTS) may be viewed as a degenerate pLTS — one in 
which only point distributions are used. In this paper a (probabilistic) process will simply be a distri- 
bution over the state set of a pLTS. As with LTSs, we write s -^ A for {s, a, A) G -^, as well as s -^ 
for 3 A : s -^ A and s ^ ior 3a: s -^, with s -^ and s -/>■ representing their negations. A pLTS is 
deterministic if for any state s and label a there is at most one distribution A with s -^ A. It is finitely 
branching if the set {A | s -^ A, a gL} is finite for all states s; if moreover S is finite, then the pLTS 
is finitary. A subdistribution A over the state set S of an arbiti^ary pLTS is finitary if restricting 5 to the 
states reachable from A yields a finitary sub-pLTS. 

3 Testing probabilistic processes 

A test is a distribution over the state set of a pLTS having Act^ Ufl as its set of transition labels, where Q. 
is a set of fresh success actions, not already in Act^, introduced specifically to report testing outcomesHI 
For simplicity we may assume a fixed pLTS of processes — our results apply to any choice of such a 
pLTS — and a fixed pLTS of tests. Since the power of testing depends on the expressivity of the pLTS of 
tests — in particular certain types of tests are necessary for our results — let us just postulate that this pLTS 
is sufficiently expressive for our purposes — for example that it can be used to interpret all processes 
from the language pCSP, as in our previous papers 121 ElO. 

Although we use success actions, they are used merely to mark certain states as success states, 
namely the sources of transitions labelled by success actions. For this reason we systematically ignore 
the distributions that can be reached after a success action. We impose two requirements on all states in 
a pLTS of tests, namely 

(A) if t -^ and t -% with «i , G>2 G H then «i = a>i. 

(B) if t -^ with O) G n and f -^ A with a G Act^ then u -^ for all m G [A] . 

The first condition says that a success state can have one success identity only, whereas the second 
condition is slight weakening of the requirement from [8] that success states must be end states; it allows 
further progress from an co-success state, for some ft) G H, but (O must remain enabled, u 

To apply test to process A we form a parallel composition 0||A in which all visible actions of A 
must synchronise with 0. The synchronisations are immediately renamed into T. The resulting composi- 
tion is a process whose only possible actions are the elements of H^ := H U {t}. Formally, if (P, Act, — >p) 
and (T, Act U fl, — ^x) are the pLTSs of processes and tests, then the pLTS of applications of tests to pro- 
cesses is (C, n, -^), with C = {t\\p I ? G T A 7? G P} and — > the transition relation generated by the rules in 
Fig.O Here if G ^(T) and A G ^(P), then 0||A is the distribution given by (0||A)(?||/7) := @{t)-A{p). 
The resulting pLTS also satisfies (A), (B) above; this would not be the case if we had strengthened (B) 
to require that success states must be end states. 

We will define the result s^{®,A) of applying the test to the process A to be a set of testing 
outcomes, exactly one of which results from each resolution of the choices in 1 1 A. Each testing outcome 



^For vector-based testing we normally take Q. to be countably infinite 1 12|. This way we have an unbounded supply of 
success actions for building tests, of course without obligation to use them all. Scalar testing is obtained by taking \Q.\ = 1. 
Justification for imposing such restrictions can be found in Appendix A of (6l. 
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t-^-r® a^Act /?-^pA a^Act t-^jS p -^p A aeAct 

t\\p-^&\\p t\\p-^t\\A t\\p^e\\A 

Figure 3: Synchronous parallel composition between tests and processes 

is an Il-tuple of real numbers in the interval [0,1], i.e. a function o : 11 — > [0, 1], and its G)-component 
o{(o), for CO gD., gives the probability that the resolution in question will reach an co-success state, one 
in which the success action CO is possible. 

Due to the presence of nondeterminism in pLTSs, we need a mechanism to reduce a nondeterministic 
structure into a set of deterministic structures, each of which determines a single possible outcome. Here 
we adapt the notion of resolution, defined in 161 for probabilistic automata, to pLTSs. 

Definition 3.1 [Resolution] A resolution of a subdistribution A G &sub{S) in a pLTS {S, D., -^) is a triple 
(/?, A, — >«) where {R,^, -^r) is a deterministic pLTS and A e S>sub{R), such that there exists a resolving 
function f : R ^ S satisfying 

(i) Img^(A) = A 

(ii) if r -^R A' for aeQ.t then /(r) -^ Imgy^(A') 

(iii) if /(r) -^ for a G Q^ then r -^r . 

The reader is referred to Section 2 of |l6l| for a detailed discussion of the concept of resolution, and the 
manner in which a resolution represents a run of a process; in particular in a resolution states in S are 
allowed to be resolved into distributions, and computation steps can be probabilistically interpolated. 
Our resolutions match the results of applying a scheduler as defined in fV\\ . 

We now explain how to associate an outcome with a particular resolution, which in turn will associate 
a set of outcomes with a subdistribution in a pLTS. Given a deterministic pLTS {R,0., — >«) consider the 
functional M : {R -^ [0, 1]") -^ {R ^ [0, 1]") defined by 

'l ifr^ 

^(/) (r) (»):=< ifr^andr-^ (3) 

, Expa(/)(w) if r ^ and r ^ A. 

We view the unit interval [0, 1] ordered in the standard manner as a complete lattice; this induces the 
structure of a complete lattice on the product [0, 1]^ and in turn on the set of functions /? ^^ [0, 1]^. The 
functional ^ is easily seen to be monotonic and therefore has a least fixed point, which we denote by 
^{R,a.^R) ; this is abbreviated to V when the deterministic pLTS in question is understood. 
Now we define £/{&,A) to be the set of vectors 

£/{&,A) := {Exp^{Y(^R_a,^^)) 1 (/?,A,^r) is a resolution of 0||A} . (4) 

Example 3.2 Consider the process qj depicted in FigureHta). Here states are represented by filled nodes 
• and distributions by open nodes o. We leave out point-distributions — diverting an incoming edge to the 
unique state in its support. When we apply the test t depicted in Figure Ub) to it we get the process t\\qi 
depicted in Figure Uc). This process is already deterministic, hence has essentially only one resolution: 
itself. Moreover the outcome Exp^N— (V) = V(f ||^i ) associated with it is the least solution of the equation 

V(f ll^i) = i . V(?||^i) + ^ ftt where a^ : Q ^ [0, 1] is the H-tuple with ot(w) = 1 and ot(w') = for all 
co' 7^ CO. In fact this equation has a unique solution in [0, 1]^, namely w. Thus £/{l,'qi) = { W }. □ 
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Figure 4: Testing the process q\ 
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Figure 5: Testing the process ^2 



Example 3.3 Consider the process ^ and the application of the test t to it, as outlined in Figure [5] For 
each k > \ the process t\\q2 has a resolution (/?^,A, ^^a^) such that Exp^(V) = (1 — i) 0); intuitively it 
goes around the loop (k — l) times before at last taking the right hand T action. Thus £/{t,q2) contains 
(1 — ^) W for every k> I. But it also contains ft), because of the resolution which takes the left hand 
T-move every time. Thus £/{t,q2) includes the set 

As resolutions allow any interpolation between the two T-transitions from state si, £/{t,q2) is actually 
the convex closure of the above set. □ 

There are two standard methods for comparing two sets of ordered outcomes: 

Oi <Ho O2 if for every oi G Oi there exists some 02 S O2 such that oi < 02 
Oi <sm02 if for every 02 € O2 there exists some oi £ Oi such that oi < 02 

This gives us our definition of the probabilistic may- and must-testing preorders; they are decorated with 
• ^ for the repertoire ^ of testing actions they employ. 
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Definition 3.4 [Probabilistic testing preorders] 

(i) A E^may rif for cvcry H-test 0, £/{&,A) <ho =6/(0,r). 
(ii) A Q^^ust r if for every H-test 0, i/(0, A) <sm =c/(0,r). 
These preorders are abbreviated to A l^pmay T and A l^pmust T when |^|= 1. 

In [6 1 we estabUshed that for finitary processes C^^^y coincides with l^pmay and E^ust with Ep^^^t 
for any choice of Q.. We also defined the reward testing preorders in terms of the mechanism set up so 
far. The idea is to associate with each success action « G H a reward, which is a nonnegative number in 
the unit interval [0, 1]; and then a run of a probabilistic process in parallel with a test yields an expected 
reward accumulated by those states which can enable success actions. A reward tuple /z € [0, 1]^ is used 
to assign reward h{o)) to success action ft), for each ft) € H. Due to the presence of nondeterminism, 
the application of a test to a process A produces a set of expected rewards. Two sets of rewards 
can be compared by examining their suprema/infima; this gives us two methods of testing called reward 
may/must testing. In f6l all rewards are required to be nonnegative, so we refer to that approach of testing 
as nonnegative-reward testing. If we also allow negative rewards, which intuitively can be understood as 
costs, then we obtain an approach of testing called real-reward testing. Technically, we simply let reward 
tuples h range over the set [—1, 1]^. If o G [0, 1]^, we use the dot-product h-o = T^meCiH^) ' "(w). It 
can apply to a set O C [0, 1]^ so that h-0 = {h-o\o & O}. Let A C [— 1 , 1] . We use the notation \JA for 
the supremum of set A, and \~\A for the infimum. 
Definition 3.5 [Reward testing preorders] 

(i) A l^nrmay T if for cvcry H-test and nonnegative-reward tuple h G [0, 1]^, 
\Jh ■£/{&, A) <\Jh-£/{&,r). 

(ii) A E^rmust r if for every ^-test and nonnegative-reward tuple h G [0, 1]^, 

f\h ■£/{©, A) <f\h-j2/{&,r). 

(iii) A l^^may T if for every H-test and real-reward tuple /z G [— 1, 1]^, 

Uh-£^{e,A)<Uh-£^{e,r). 

(iv) A E^must r if for every H-test and real-reward tuple h G [— 1, 1]*^, 

n/i-^(0,A) < \~\h-£/{@,r). 

This time we drop the superscript D. iff D. is countably infinite. 

It is shown in Corollary 1 of lH that nonnegative-reward testing is equally powerful as probabilistic 

testing. 

Tiieorem 3.6 ISl For any finitary processes A and F, 

(i) A Enrmay T if and only if A Cp^^^y F. 

(ii) A Enrmust T if and only if A Epmust T. 
In this paper we focus on the real-reward testing preorders l^rrmay and Errmust. by comparing them with 
the nonnegative reward testing preorders l^nrmay and Enrmust- Although these two nonnegative-reward 
testing preorders are in general incomparable we have: 

Theorem 3.7 For any processes A and F, it holds that A l^rrmay T if and only if F l^rrmust A. 

Our next task is to compare Errmust with Enrmust- The former is included in the latter, which directly 
follows from Definition 13.51 Surprisingly, it turns out that for finitary convergent processes the latter is 
also included in the former, thus establishing that the two preorders are in fact the same. The rest of 
the paper is devoted to proving this result. However, we first show that this result does not extend to 
divergent processes. 
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Example 3.8 Consider the processes qj and ^ depicted in Figure [T] Using the characterisations of 
Epmay ^nd l^pmust in [31, it is easy to see that these processes cannot be distinguished by probabihstic 
may- and must testing, and hence not by nonnegative-reward testing either. However, let t be the test in 
the right diagram of Figure [T] that first synchronises on the action a, and then with probability ^ reaches 
a state in which a reward of —2 is allocated, and with the remaining probability ^ synchronises with the 
action b and reaches a state that yields a reward of 4. Thus the test employs two success actions cOi and 
a>2, and we use the reward tuple h with h{cOi) = —2 and h{(02) =4. Then the resolution of qj that does 
not involve the T-loop contributes the value — 2 • ^ + 4 • ^ = — 1 + 2 = 1 to the set /j ■ £/{t,'qi), whereas 
the resolution that only involves the T-loop contributes the value 0. Due to interpolation, h ■ £/{t,qi) is 
in fact the entire interval [0, 1]. On the other hand, the resolution corresponding to the a-branch of q2 
contributes the value —1 and h • £/{t,q2) = [— 1, 1]- Thus \~\h ■ £/{t,'qi) = > — 1 = \~\h ■ £/{t,q2), and 
hence qj grrmust qi- O 



4 Derivation-based testing 

In this section we give an alternative definition of £/{&,A). Our definition has four ingredients. First of 
all, for technical reasons we normalise our pLTS of applications of tests to processes by pruning away 
all outgoing T-transitions from success states. This way an ft)-success state will only have outgoing 
transitions labelled ft). 

Definition 4.1 [w-respecting] A pLTS (S,n,— )•) is said to be (O-respecting whenever s -^, for any 
O) G n, implies s -^. 

It is straightforward to modify the pLTS of applications of tests to processes into one that it is (o- 
respecting, namely by removing all transitions s — ^ A for states s with s -^. With [0||A] we denote the 
distribution 0||A in this pruned pLTS. 

Secondly, we recall the definition of weak derivations from ||3l. In a pLTS actions are only performed 
by states, in that actions are given by relations from states to distributions. But processes in general 
correspond to distributions over states, so in order to define what it means for a process to perform an 
action, we need to lift these relations so that they also apply to distributions. In fact we will find it 
convenient to lift them to subdistributions. 

Definition 4.2 Let (^jL,^) be apLTS andM C S'x S^subiS) be a relation from states to subdistributions. 
Then ^ C Qsub{S) x S^subiS) is the smallest relation that satisfies: 

(i) s 3^ A. imphes s ^ A, and 

(ii) (Linearity) F, ^ A,- for /€/ implies (L/e/Prr,) ^ (LieiPi'^d for ^^ly ^^[0)1] 0^^) with 
LieiPi < 1- 

An application of this notion is when the relation is -^ for a G Act^; in that case we also write -^ 
for -^. Thus, as source of a relation -^ we now also allow distributions, and even subdistributions. A 
subtlety of this approach is that for any action a, we have e -^ e simply by taking / = or Y^ieiPi — 
in Definition 14.21 That turns out to make e especially useful for modelling the "chaotic" aspects of 
divergence in [3], in particular that in the must-case a divergent process can simulate any other. 
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Definition 4.3 [Weak derivation] Suppose we have subdistributions A, A^, A^, for ^ > 0, with the fol- 
lowing properties: 

A = A(7 + Ao 

A- ^ Ar + AjX 
Ar ^ Ar+i+A,-^j. 

Then we call A' := YX^qA^ a weak derivative of A, and write A =^ A' to mean that A can make a weak 
derivation to its derivative A'. 

There is always at least one weak derivative of any subdistribution (the subdistribution itself) and there 
can be many. 

Thirdly, we identify a class of special weak derivatives called extreme derivatives. 

Definition 4.4 [Extreme derivatives] A state 5 in a pLTS is called stable if s -^, and a subdistribution 
A is called stable if every state in its support is stable. We write A =^^ A' whenever A =^ A' and A' is 
stable, and call A' an extreme derivative of A. 

Referring to Definition |431 we see this means that in the extreme derivation of A' from A at every stage a 
state must move on if it can, so that every stopping component can contain only states which must stop: 
for s G [A^ + A^ 1 we have s G [A^ ] if and now also only if s -^. Moreover if the pLTS is G)-respecting 
then whenever s G [A^] , it is not successful, i.e. s -^ for every ft) € H. 

Lemma 4.5 [Existence of extreme derivatives] 

(i) For every subdistribution A there exists some (stable) A' such that A =^^ A'. 
(ii) In a deterministic pLTS if A =^^ A' and A =^^ A" then A' = A". 

SM^distributions are essential here. Consider a state t that has only one transition, a self T-loop t — ^ t. 
Then it diverges and it has a unique extreme derivative e, the empty subdistribution. More gener- 
ally, suppose a subdistribution A diverges, that is there is an infinite sequence of internal transitions 

A — ^ Ai — ^ ---Ak — ^ Then one extreme derivative of A is e, but it may have others. 

The final ingredient in the definition of a set of outcomes of an application of a test to a process is 
the outcome of a particular extreme derivative. Note that all states s G [A] in the support of an extreme 
derivative either satisfy s -^ for a unique (0 £Q.,or have sy^. 

Definition 4.6 [Outcomes] The outcome $A G [0, 1]^ of a stable subdistribution A is given by $A(co) = 
I{A(.)|.G[A1,.^}. 

Putting all four ingredients together, we arrive at a definition of £/'^{&,A): 

Definition 4.7 Let A be a process and an H-test. Then £/'^{&,A) = {$A | [0||A] =^>- A}. 

The role of pruning in the above definition can be seen via the following example. 

Example 4.8 Let ^ be a process that first does an a-action, to the point distribution q, and then diverges, 
via the T-loop q — ^ q. Let 7 be the test used in Examples 13.21 and 13.31 Then t\\p has a unique extreme 
derivative e, whereas [t\\p] has a unique extreme derivative [G)||g]. Here we give the name (O to the state 
reachable from t with the outgoing G)-transition. The outcome in £/'^{t,p) shows that process p passes 
test t with probability 1 , which is what we expect for state-based testing. Without pruning we would get 
an outcome saying that p passes t with probability 0. □ 
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As this example is nonprobabilistic, it also illustrates how pruning enables the standard notion of non- 
probabilistic testing to be captured by derivation-based testing. 

Example 4.9 (Revisiting Example 13.21 ) The pLTS in Figure l^c) is deterministic and unaffected by 
pruning; from part (HH) of Lemma 1431 it follows that t\\qY has a unique extreme derivative A. Moreover 
A can be calculated to be J^k>i ^ ''^j which simplifies to the distribution 53. Therefore, ^'^(f,^) = 
{$^} = i"^}. " D 

Example 4.10 (Revisiting Example 13.31 ) The apphcation of the test J to processes q^ is oudined in 
Figure |5lc). Consider any extreme derivative A' from sq = [f||^]; note that here again pruning actually 
has no effect. Using the notation of Definition |4.3[ it is clear that Aq and A^^ must be e and ^o respectively. 
Similarly, A^ and Aj^ must be e and Ji respectively. But s^ is a nondeterministic state, having two 
possible transitions: 

(i) ^1 — ^ Ao where Aq has support {sq^S2} and assigns each of them the weight \ 

(ii) ^1 — ^ Ai where Ai has the support {i'3,54}, again dividing the mass equally among them. 

So there are many possibilities for A2; from Definition 14. 3 1 one sees that in fact A2 can be of the form 

p-Ao + (l-p)-Ai (5) 

for any choice of /? € [0, 1]. 

Let us consider one possibility, an extreme one where p is chosen to be 0; only the transition (ii) above 
is used. Here Aj^ is the subdistribution ^J^, and A^ = e whenever k> 2. K simple calculation shows 
that in this case the extreme derivative generated is Aj = \'s^+ jJZ which implies that 5 0) G £^^(t,q2)- 

Another possibility for A2 is Aq, corresponding to p = 1 in (l5]l above. Continuing this derivation 
leads to A3 being ^ • ^ + 5 • ^; thus A3 = ^-Is and Aj^ = ^ • sj". Now in the generation of A4 from A^ 
again we resolve a transition from the nondeterministic state ^i, by choosing some arbitrary p € [0, 1] in 
©. Suppose we choose p = \ every time, completely ignoring transition (ii) above. Then the extreme 
derivative generated is , 

^0 = 1^-^ 

which simplifies to the distribution 55. This in turn means that ft) € s^^i^^ql). 

We have seen two possible derivations of extreme derivatives from 'sq. But there are many others. In 
general whenever A^ is of the form g • ^7 we have to resolve the nondeterminism by choosing a ;? G [0, 1] 
in ^ above; moreover each such choice is independent. It turns out that every extreme derivative A' of 
'sq is of the form ^ • Aq + (1—^) • A\ for some choice of g € [0, 1], which implies that =e/'^(f ,^) is the 
convex closure of the set {^ oJ, oJ}. □ 

We have now seen two ways of associating sets of outcomes with the application of a test to a 
process. The first, in Section|3l associates with a test and a process a set of deterministic structures called 
resolutions, while the second, in this section, uses extreme derivations in which nondeterministic choices 
are resolved dynamically as the derivation proceeds. We proceed to show that these two approaches give 
rise to the same outcomes. The key result to this end is 

Proposition 4.11 Let A be a subdistribution in an CD-respecting deterministic pLTS {R,Q.,^-r). If 
A =^>~ A' then Expa(V(rp^^^)) = Expf^,(V(^R^a^^^)). 

To obtain it, we need the crucial property that the evaluation function V applied to G)-respecting deter- 
ministic pLTSs is continuous (with respect to the standard Euclidean metric). 

The next proposition maintains that for each extreme derivative there is a corresponding resolution, 
and vice versa. 
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Proposition 4.12 Let A be a subdistribution over the state set of a pLTS {S,Q., — )■). 

(i) Suppose A =^^ A'. Then there is a resolution {R,A, — )-k) of A, with resolving function /, such that 
A =^~R A' for some A' for which A' = Imgy^(A'). 

(ii) Suppose {R,A, -^r) is a resolution of a A with resolving function /. 
Then A =^^r A' impUes A =^~ Img , (A'). 

The definitions of outcomes, resolutions and the functional =^ directly imply that if (/?,A, — >r) is a 
resolution of a subdistribution A£!^sub{S) in a pLTS (5,^,— >), with resolving function /, and A' G 
^sub{R) is Stable, then Imgy (A') is stable and 

ExpA,(V(«,^,^,)) = $A' = $(Img^.(A')). 
In combination with Propositions 14. 1 l| and |4. 12[ this yields: 

Corollary 4.13 In an a)-respecting pLTS {S, Q., -^), the following statements hold. 
(i) If A =^'- A' then there is a resolution (/?, A, -^r) of A such that Expy^(V^s fj^^^) = $(A'). 

(ii) For any resolution {R,A, — )•«) of A, there exists an extreme derivative A' such that A =^^ A' and 

ExpA(V<«,a^,))=$(A'). 

Together with an argument that pruning does not affect ^(0, A), this proves: 
Theorem 4.14 For any test and process A we have that £/'^{&,A) = £/{&,A). 

5 Agreement of nonnegative- and real-reward must testing 

In this section we prove the agreement of Enrmust with Errmust for finitary convergent processes, by 
using failure simulation [3 1 as a stepping stone. We start with defining the weak action relations =^ for 
a G Actt and the refusal relations —/> for A C Act that are the key ingredients in the definition of the 
failure-simulation preorder. 

Definition 5.1 Let A and its variants be subdistributions in a pLTS {S, Act, — >). 

• For a G Act write A ^ A' whenever A =^ AP'"" -^ AP°'*' =^ A', for some AP''^ and AP"'\ Extend 
this to Act^ by allowing as a special case that =^ is simply =^, i.e. including identity (rather than 
requiring at least one — ^). 

• For A C Act and seS write s -^ if s -^ for every a G A U {t}; write A -^ if s -^ for every 

s^\Al 

• More generally write A ^^ if A =^ AP'''^ for some AP"^*^ such that AP"^*^ ^. 

Definition 5.2 [Failure simulation preorder] Define <l^5 to be the largest relation in 5 x &sub{S) such 
that if >y <pj, A then 

(i) whenever s =^ F', for a G Act^, then there is a A' G ^sub{S) with A =^ A' and F' <^ A', 

(ii) and whenever 1 =^—/^ then A =^~/^. 

Any relation .^ C 5 x S!sub{S) that satisfies the two clauses above is called sl failure simulation. The 
failure simulation preorder Qps C &sub{S) x &sub{S) is defined by letting A \Zfs T whenever there is a 
A^ with A ^ A^ and F <;; AI 

Note that the simulating process. A, occurs at the right of <^^,, but at the left of Qfs- 
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The failure simulation preorder is preserved under parallel composition with a test, followed by pruning, 
and it is sound and complete for probabilistic must testing of finitary processes. 

Theorem 5.3 lU For finitary processes A and F, 

(i) If A Qfs F then for any H-test it holds that [A||0] Qfs [F||0]. 

(ii) A Qfs F if and only if A l^pmust T. 

Because we prune our pLTSs before extracting values from them, we will be concerned mainly with 
w-respecting structures. Moreover, we require the pLTSs to be convergent in the sense that there is no 
wholly divergent state s, i.e. with s =^ e. 

Lemma 5.4 Let A and F be two subdistributions in an G)-respecting convergent pLTS {S,Q.,^. If 
A Qfs r, then it holds that r (A) D r (F). Here ^ (A) denotes {$A' [ A =^)~ A'}. 

This lemma shows that the failure-simulation preorder is a very strong relation in the sense that if A 
is related to F by the failure-simulation preorder then the set of outcomes generated by A includes the 
set of outcomes given by F. It is mainly due to this strong requirement that we can show that the 
failure-simulation preorder is sound for the real-reward must-testing preorder. Convergence is a crucial 
condition in this lemma. 

Theorem 5.5 For any finitary convergent processes A and F, if A Qfs F then we have that A l^rrmust T. 

The proof of the above theorem is subtle. The failure-simulation preorder is defined via weak derivations 
(cf. Definition 15. 2I ). while the reward must-testing preorder is defined in terms of resolutions (cf. Defini- 
tion 13.51 ). Fortunately, we have shown in Corollary 14. 141 that we can just as well characterise the reward 
must-testing preorder in terms of weak derivations. Based on this observation, the proof can be carried 
out by exploiting Theorem 15. 3 f i) and Lemma 1541 

This result does not extend to divergent processes. One witness example is given in Figure [T] A 
simpler example is as follows. Let A be a process that diverges, by performing a T-loop only, and let F 
be a process that merely performs a single action a. It holds that A Qps T because A =^ e and the empty 
subdistribution can failure-simulate any processes. However, if we apply the test t from Example 13.21 
again, and the reward tuple h with h{(o) = — 1, then 

\-\h-£^'^{t,A) = nh-{$e} = \~\{0} = 

r\h-^Hin = nh-{'^} = ni-i} = -i 

As \~\h ■ ^'^{t,A) % {\h- s^^(:t,T), we see that A grrmust T. Since r([7||F]) = {at} but ot >"([? ||A]), 
this also is a counterexample against an extension of Lemma [53] with divergence. 

Finally, by combining Theorems 13. 6f ii) and l5.3f ii). together with Theorem 15.51 we obtain the main 
result of the paper which states that, in the absence of divergence, nonnegative-reward must testing is as 
discriminating as real-reward must testing. 

Theorem 5.6 For any finitary convergent processes A and F, it holds that A l^rrmust T if and only if 

'-i !=nrmust ^ • 

6 Conclusion 

We have studied a notion of real-reward testing which extends the traditional nonnegative-reward testing 
with negative rewards. It turned out that real-reward may preorder is the inverse of real-reward must 
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preorder, and vice versa. More interestingly, for finitary convergent processes, the real-reward must 
testing preorder coincides with the nonnegative-reward testing preorder. In order to prove this result, 
we have presented two testing approaches and shown their coincidence, which involved proving some 
analytic properties such as the continuity of a function for calculating testing outcomes. 

Although for finitary convergent processes real-reward must testing is no more powerful than non- 
negative-reward must testing, the same does not hold for may testing. This is immediate from our result 
that (the inverse of) real-reward may testing is as powerful as real-reward must testing, that is known not 
to hold for nonnegative-reward may- and must testing. Thus, real-reward may testing is strictly more 
discriminating than nonnegative-reward may testing, even without divergence. 
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